Re: PAM module and autentification i Squid - strict ip_authentificate_ttl

From: Ing. Ales Rygl <rygl@dont-contact.us>
Date: Sat, 22 Apr 2000 00:17:35 +0200

Hi,

Citace Henrik Nordstrom <hno@hem.passagen.se>:

> Ales Rygl wrote:
>
> > Authentification is working, but I have following problem: squid is IMHO
> > ingnoring authenticate_ttl 600, authenticate_ip_ttl 600 parameters. I'd
> > like to disable users to log via proxy more than once, as is written in
> > squid.conf. If i try to auth. myself from more than 1 IP, I'm refused
> > but if i try this once more, I'm allowed to browse from both IPs!!
>
> This is authenticate_ip_ttl, and works as documented in squid.conf. It
> is only intended to discourage people from sharing their password, but
> still allow a single user to switch IP (redial, or move from one
> workstation to another). You will only see the effect if the same user
> tries to actively browse from two IP addresses. The effect is not
> obvious if you try as one person to move between two IP's.
>
> I have a development patch that extends this to a strict TTL completely
> denying access from another IP until the TTL has expired, but it
> requires some manual work to apply to the sources due to other changes
> in surrounding code confusing the patch program.

Thanks for your reply. I have found this patch on your web (Squid-2.3.STABLE1:
strict ip_authenticate_ttl option), but as you have written, patching source
code doesn't work. I'm affraid I'm not able to patch source manualy. Can I find
patched version 2.3stable2 anywhere? I'd realy need this
strict_ip_authenticate_ttl option because of running squid on network ay school
an I need to rectrict some students. I think other people will find this patched
source too.

> > And
> > after time in authenticate_ttl my re-authentification in not required?
>
> The login information is cached in the web browsers. Squid cannot force
> the web browser to reauthenticate.

:(((

Thanks

Ales Rygl

------
Received on Fri Apr 21 2000 - 17:19:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:00 MST